Managing mac moves with secure port groups

ABSTRACT

A method includes determining that a source MAC address is associated with a particular port that is a member of a secure group ( 34, 36 ) of ports ( 1 - 14 ) of a network edge device ( 20, 50 ). A move of the source MAC address to any port of the network edge device ( 20, 50 ) that is a member of the secure group of ports is allowed. Moves of the MAC address to any port of the network edge device ( 20, 50 ) that is outside the secure group of ports are disallowed. An apparatus and at least one computer-readable medium for implementing the method also are described.

BACKGROUND

An edge device (e.g., a bridge or a router) is a network device thatconnects nodes in one network to nodes in another network. The edgedevice maintains a media access control (MAC) forwarding table thatstores entries that map MAC addresses of network nodes to the ports ofthe network bridge. When an ingress packet is received at a port, theedge device performs a forwarding phase lookup of the destination MACaddress in the received packet and a learning phase lookup of the sourceMAC address in the received packet.

In the forwarding phase lookup mode of operation, the edge device looksfor the destination address in the received ingress packet in the MACforwarding table. If an entry containing the destination address isfound, the edge device forwards the packet to the port listed in theentry; otherwise, the edge device may “flood” the packet on all outputports of the edge device except the port on which the packet wasreceived.

In the learning phase mode of operation, the edge device looks up thesource address in the received ingress packet in the MAC forwardingtable. If an entry containing the source address is not found, the edgedevice adds a new entry to the MAC forwarding table that maps the sourceaddress to the port on which the packet was received. If an entrycontaining the source address is found, the edge device determineswhether the entry associates the source address with the current port onwhich the packet was received or a different port. If the current portis the same as the port listed in the identified forwarding table entry,the learning phase ends. If the current port is different from the portlisted in the identified forwarding table entry, the edge devicedetermines that the source address has moved (i.e., that a MAC move hasoccurred) and updates the MAC forwarding table to reflect the new MACaddress to port mapping.

Some edge devices are configured to implement one or more securityprotocols. For example, an edge device may be restricted to a maximumnumber of source MAC addresses that can be learned for each VLAN(virtual local area network). In another example, the edge device may beconfigured to lock down the MAC forwarding table in response to receiptof a MAC lock down command. In accordance with these approaches, afterthe maximum number of source MAC addresses has been learned or the MAClock down command has been received, the edge device discards packetsthat contain source MAC addresses that are not listed in the current MACaddress table. In another example, the number of moves of the MACaddress over time is tracked in order to detect and prevent bridgeforwarding loops. If the number of MAC moves of a particular source MACaddress over a given period is above a threshold number, the edge devicemay block all packets that are associated with that source MAC addressand issue a loop detection warning.

Systems and methods of managing MAC moves with secure port groups aredescribed herein.

DESCRIPTION OF DRAWINGS

FIG. 1 is a diagrammatic view of an example of an edge device connectingnetwork nodes in two virtual local area networks to the network nodes ofanother network.

FIG. 2 is a flow diagram of an example of a method of managing moves ofa media access control (MAC) address.

FIG. 3 is a flow diagram of an example of a method of managing moves ofa media access control (MAC) address.

FIG. 4 is a block diagram of an example of an edge device.

FIG. 5 is a diagrammatic view of an example of a table showing moves ofa MAC address over time, an example of a table that maps ports of anedge device to secure port groups, and an example of a table showing MACaddress table entries for the MAC address over time.

DETAILED DESCRIPTION

In the following description, like reference numbers are used toidentify like elements. Furthermore, the drawings are intended toillustrate major features of exemplary embodiments in a diagrammaticmanner. The drawings are not intended to depict every feature of actualembodiments nor relative dimensions of the depicted elements, and arenot drawn to scale.

A “computer” is any machine, device, or apparatus that processes dataaccording to computer-readable instructions that are stored on acomputer-readable medium either temporarily or permanently. A “computeroperating system” is a software component of a computer system thatmanages and coordinates the performance of tasks and the sharing ofcomputing and hardware resources. A “software application” (alsoreferred to as software, an application, computer software, a computerapplication, a program, and a computer program) is a set of instructionsthat a computer can interpret and execute to perform one or morespecific tasks. A “data file” is a block of information that durablystores data for use by a software application.

The term “computer-readable medium” refers to any tangible,non-transitory medium capable storing information (e.g., instructionsand data) that is readable by a machine (e.g., a computer). Storagedevices suitable for tangibly embodying such information include, butare not limited to, all forms of physical, non-transitorycomputer-readable memory, including, for example, semiconductor memorydevices, such as random access memory (RAM), EPROM, EEPROM, and Flashmemory devices, magnetic disks such as internal hard disks and removablehard disks, magneto-optical disks, DVD-ROM/RAM, and CD-ROM/RAM.

A “network node” (also referred to simply as a “node”) is a junction orconnection point in a communications network. Exemplary network nodesinclude, but are not limited to, a terminal, a computer, and an edgedevice. A “server” network node is a host computer on a network thatresponds to requests for information or service. A “client” network nodeis a computer on a network that requests information or service from aserver. A “network connection” is a link between two communicatingnetwork nodes.

An “edge device” is a network device that connects nodes in one networkto nodes in another network. Examples of edges devices include a bridge(e.g., a switch or a hub), routers, routing switches, integrated accessdevices (IADs), and multiplexers.

A virtual local area network (VLAN) is a switched network that islogically segmented into groups of nodes without regard to the physicallocations of the nodes.

A media access control (MAC) address is a unique identifier that isassigned to a network interface for communications on a physical networksegment.

A “secure port” is a port that controls which packets will be receivedand forwarded based on a specified set of one or more source MACaddresses.

A “secure port group” is a configurable group of secure ports of an edgedevice, where permitted source MAC addresses are restricted to movesbetween the ports in the secure port group.

As used herein, the term “includes” means includes but not limited to,the term “including” means including but not limited to. The term “basedon” means based at least in part on.

The examples that are described herein provide systems and methods ofmanaging MAC moves with secure port groups. In some of these examples,source MAC addresses are allowed to move between the ports of aspecified port group, but are not allowed to move to ports outside ofthe specified port group. In this way, these examples can flexiblyaccommodate source MAC address moves without compromising security.

FIG. 1 shows an example of an edge device 20 that connects network nodes22 in a first network 24 with network nodes 26 in a first VLAN 28 (VLAN1) and network nodes 30 in a second VLAN 32 (VLAN 2).

The edge device 20 includes a plurality of ports (labeled 1-14) that arelogically partitioned according to the first and second VLANs 28, 32. Inparticular, the edge device 20 maintains a data structure (e.g., a tableor multiple tables) that assigns a VLAN ID corresponding to the firstVLAN 28 to the uplink ports 1-4 and assigns a VLAN ID corresponding tothe second VLAN 32 to the uplink ports 5-7. Although not shown, theports 8-14 on the uplink side of the edge device 20 also may bepartitioned into VLAN groups. Also not shown are alternate VLAN portconfigurations such as ports belonging to multiple VLANs. The VLAN portmapping data structure typically can be configured dynamically by anetwork administrator.

In addition to the VLAN partitions, the ports of the edge device 20 alsoare partitioned logically into a first secure port group 34 (Secure PortGroup 1) and a second secure port group 36 (Secure Port Group 2). Inparticular, the edge device 20 maintains a data structure (e.g., a tableor multiple tables) that assigns a Port Group ID corresponding to thefirst secure port group 34 to the ports 2-4 and 9-10, and assigns a PortGroup ID corresponding to the second secure port group 36 to the ports7, 13, and 14. As explained in detail below, each of the ports 2-4,9-10, 7, 13, and 14 is secure port that is restricted to forwardingpackets having one or more specified source addresses and, for eachsecure port group 34, 36, the source MAC addresses that can be forwardedfrom the ports of the secure port group are restricted to moves betweenthe ports of the secure port group.

FIG. 2 is a flow diagram of an example of a method of managing moves ofa media access control (MAC) address with secure port groups. Inaccordance with the method of FIG. 2, the edge device 20 determines thata source MAC address is associated with a particular port that is amember of a secure group of ports of a network edge device (FIG. 2,block 40). The edge device 20 allows a move of the source MAC address toany port of the network edge device 20 that is a member of the securegroup of ports (FIG. 2, block 42). The edge device 20 disallows moves ofthe MAC address to any port of the network edge device that is outsidethe secure group of ports (FIG. 2, block 44).

FIG. 3 shows an example of a method by which the edge device 20 managesmoves of a media access control (MAC) address with secure port groups.In accordance with the method of FIG. 3, the edge device 20 receives aningress packet (FIG. 3, block 80). The edge device 20 extracts a sourceMAC address from the received ingress packet (FIG. 3, block 82). If theport association of the source MAC address has not changed (FIG. 3,block 84), the edge device 20 processes the packet (FIG. 3, block 86).If the port association of the source MAC address has changed (FIG. 3,block 84), the edge device 20 determines whether or not the ingresspacket is associated (e.g., by an entry in a MAC address table) with aport that is a member of a restricted port group (FIG. 3, block 88). Ifthe ingress packet is not associated a member of a secure port group,the edge device processes the packet (FIG. 3, block 86). If the ingresspacket is associated with a member of a secure port group, the edgedevice determines whether or not the receipt port is a member of thesecure port group (FIG. 3, block 90). If the receipt port is a member ofthe secure port group, the edge device processes the packet (FIG. 3,block 86). If the receipt port is not a member of the secure port group,the edge device 20 initiates a security action (e.g., filter the packetand issue security warning) (FIG. 3, block 92).

FIG. 4 shows an example 50 of the edge device 20 that includes aplurality of ports 1-14, a memory 52, and a memory controller 54, whichin turn includes a MAC address table 56 and a secure port group table58. The ports 1-14, the memory 52, and the memory controller 54typically are components of a single integrated circuit that areinterconnected by a bus. In some examples, the memory controller 54includes a programmable digital circuit that is operable to carry outthe memory controller functions described herein. In some example, thememory controller 54 is includes a processor that executes instructionsstored on at least one computer-readable medium. In some examples, oneor both of the MAC address table 56 and the secure port group table 58are stored on a memory device that is separate from the edge device 50and is accessible to the memory controller 54 over a wired or wirelessnetwork connection.

When an ingress packet 60 is received on a port (e.g., port 3) of theedge device 50, the receipt port stores the packet in the memory 52 andextracts information from the header of the packet. In some examples,the receipt port extracts the source MAC address, the destination MACaddress, and the VLAN ID from the packet header. The receipt port passesthe extracted information and its Port ID to the memory controller 54.

The memory controller 54 determines whether or not the Port ID of thereceipt port is a member of a secure port group based on the entries ofthe secure port group table 58.

If the Port ID of the receipt port is a member of a secure port group,the memory controller 54 determines if the extracted source MAC addressis permitted to be received on the corresponding port based on theentries of the same secure port group table 58. If the source MACaddress of the received packet is not a permitted source address, thepacket is filtered (e.g., the packet is discarded) and optionally issuesa security warning. If the source MAC address is a permitted sourceaddress, the memory controller 54 determines if a MAC move has occurred.In this process, the memory controller 54 searches the MAC address table56 for an entry that associates an ingress port with the source MACaddress and the VLAN ID that were extracted from the ingress packet.

If an entry for the source MAC address and VLAN ID of the receivedpacket is found in the MAC table, the memory controller 54 compares thePort ID of the input port in the table entry to the Port ID of thereceipt port. If these Port IDs are different, a MAC move is beingattempted. If a MAC move is being attempted, the memory controller 54determines whether the current packet's receipt port is a member of thesame secure port group as the input port in the existing MAC table entrybased on the entries of the secure port group table 58.

If the receipt port is a member of the same secure port group, the MACmove is permitted. In this case, the memory controller 54 updates theMAC address table 56 entry that associates the receipt port with theextracted source MAC address and VLAN ID; the memory controller 54 alsosearches the MAC address table 56 for an entry that associates an outputport with the destination MAC address and the VLAN ID that wereextracted from the ingress packet. If an entry for the destination MACaddress and VLAN ID is found, the memory controller 54 transfers thepacket 60 from the storage address in the memory 52 to the output port(e.g., port 9) listed in the entry. If an entry for the destination MACaddress and VLAN ID is not found, the memory controller 54 floods thepacket 60 from the memory 52 to all the available ports.

In some implementations, if the output port is not a member of the samesecure port group as the receipt port, the memory controller 54 mayoptionally filter the packet (e.g., discards the packet) and optionallyissues a security warning.

If the receipt port is a member of a secure port group and the sourceMAC address is a permitted source address for the same secure port groupbut an entry for the source MAC address and VLAN ID is not found in theMAC address table 56, the memory controller 54 creates a new entry inthe MAC address table 56 that associates the Port ID of the receipt portwith the source MAC address and the VLAN ID that were extracted from theingress packet.

If the Port ID of the receipt port is a not member of a secure portgroup, the memory controller 54 searches the MAC address table 56 for anentry that associates the source MAC address and VLAN ID that wereextracted from the ingress packet with an input port.

If the Port ID of the receipt port is a not member of a secure portgroup and an entry for the source MAC address and VLAN ID is found inthe MAC address table 56, the memory controller determines whether theport associated with the existing MAC table entry is a member of asecure port group. If that port is a member of a secure port group,there is an attempt to move the source MAC address outside the secureport group and in this case the memory controller 54 filters the packet(e.g., discards the packet) and optionally issues a security warning. Ifthat port is not a member of a secure port group then the address moveis processed normally and the packet is forwarded. If the Port ID of thereceipt port is a not member of a secure port group and an entry for thesource MAC address and VLAN ID is not found in the MAC address table 56,the memory controller 54 creates a new entry in the MAC address table 56that associates the Port ID of the receipt port with the source MACaddress and the VLAN ID that were extracted from the ingress packet. Thememory controller 54 also searches the MAC address table 56 for an entrythat associates an output port with the destination MAC address and theVLAN ID that were extracted from the ingress packet. If an entry for thedestination MAC address and VLAN ID is found, the memory controller 54transfers the packet 60 from the storage address in the memory 52 to theoutput port (e.g., port 9) listed in the entry. If an entry for thedestination MAC address and VLAN ID is not found, the memory controller54 floods the packet 60 from the memory 52 to all the permitted ones ofthe available ports.

FIG. 5 shows an example of a table 100 of moves of a MAC address A overtime, a secure port group table 102 that maps ports of an edge device tosecure port groups, and a table 104 that contains MAC address tableentries for the MAC address A over time. The secure port group table 102stores the associations between secure port groups, Port IDs, VLAN IDs,and restricted MAC addresses. In this example, ports 2, 3, 4, 9, 10, and11 are members of secure port group 1, and ports 7, 13, and 14 aremembers of secure port group 2 (see FIG. 1). At time tO, the source MACaddress A is associated with secure port group 1, as shown by the firstentry in the MAC address table 104. Thus, as shown in the table 100,moves of MAC address A to ports 4 and 3 at times t2 and t3 are allowed,whereas moves of MAC address A to ports 1 and 12 at times tO and t4 arenot allowed. This is reflected in the MAC address table 104, which showsthat only the permitted moves of the MAC address A between the ports 3and 4 trigger updates to the port associations of MAC address A.

Examples of the edge devices 20, 50 may be implemented by one or morediscrete modules (or data processing components) that are not limited toany particular hardware, or machine readable instruction configuration(e.g., firmware or software). In the illustrated examples, these modulesmay be implemented in any computing or data processing environment,including in digital electronic circuitry (e.g., an application-specificintegrated circuit, such as a digital signal processor (DSP)) or incomputer hardware, device driver, or machine readable instructions(including firmware or software). In some examples, the functionalitiesof the modules are combined into a single data processing component. Insome examples, the respective functionalities of each of one or more ofthe modules are performed by a respective set of multiple dataprocessing components.

In some implementations, process instructions (e.g., machine-readablecode, such as computer software) for implementing the methods that areexecuted by the examples of the edge devices 20, 50, as well as the datathey generate, are stored in one or more machine-readable media. Storagedevices suitable for tangibly embodying these instructions and datainclude all forms of non-volatile computer-readable memory, including,for example, semiconductor memory devices, such as random access memory(RAM), EPROM, EEPROM, and flash memory devices, magnetic disks such asinternal hard disks and removable hard disks, magneto-optical disks,DVD-ROM/RAM, and CD-ROM/RAM.

In general, examples of the edge device 20 may be implemented in any oneof a wide variety of electronic devices, including dedicated functionedge devices (e.g., bridges, such as a switch or a hub, routers, routingswitches, integrated access devices, and multiplexers) and generalpurpose computers.

Other embodiments are within the scope of the claims.

1-15. (canceled)
 16. A method, comprising: determining an associatedport of a source address of a received packet is different than a porton which the packet is received; processing the packet if the associatedport and the port on which the packet is received are members of asecure port group; and if the associated port is a member of the secureport group and the port on which the packet is received is not a memberof the secure port group, initiating a security action.
 17. The methodof claim 15, wherein determining an associated port of a source addressof a received packet is different than a port on which the packet isreceived comprises: receiving a packet on the port; performing a lookupin an address table based on the source address to determine theassociated port; and determining whether the port on which the packet isreceived and the associated packet determined from the lookup are thesame or different.
 18. The method of claim 17, comprising: if the porton which the packet is received and the associated port determined fromthe lookup are the same, processing the packet.
 19. The method of claim16, comprising: if the associated port is not a member of the securegroup, processing the packet.
 20. The method of claim 16, wherein theport on which the packet is receiving is on a network device, and themethod comprises: allowing a move of the source MAC address to any portof the network device that is a member of the secure group; anddisallowing moves of the source MAC address to any port of the networkedge device that is outside the secure group.
 21. The method of claim16, comprising: receiving the packet on the port, wherein the port is ona network edge device.
 22. The method of claim 16, wherein the sourceaddress is a MAC address.
 23. A network device comprising: a pluralityof ports; and a hardware controller to: determine an associated port ofa source address of a packet received on a port of the plurality ofports based on an address table; determine whether the associated portis different than the port on which the packet is received; processingthe packet if the associated port and the port on which the packet isreceived are members of a secure port group; and if the associated portis a member of the secure port group and the port on which the packet isreceived is not a member of the secure port group, initiating a securityaction.
 24. The network device of claim 23, comprising: a storage devicestoring the address table, and the controller is to perform a lookup onthe address table based on the source address to determine theassociated port.
 25. The network device of claim 23, wherein thecontroller is to determine if the port on which the packet is receivedand the associated port are the same, and if the ports are the same, thepacket is processed by the network device.
 26. The network device ofclaim 23, wherein the controller is to determine if the associated portis not a member of the secure group, and if the associated port is not amember of the secure group, the packet is processed by the networkdevice processing the packet.
 27. The network device of claim 23,wherein the controller is to: allow a move of the source MAC address toany port of the network device that is a member of the secure group; anddisallow a move of the source MAC address to any port of the networkedge device that is outside the secure group.
 28. The network device ofclaim 23, wherein the secure group comprises a subset of the pluralityof ports.
 29. The network device of claim 23, wherein the network deviceis a network edge device.
 30. A non-transitory computer readable mediumstoring machine readable instructions executable by a hardwarecontroller to: determine an associated port of a source address of areceived packet is different than a port on which the packet isreceived; process the packet if the associated port and the port onwhich the packet is received are members of a secure port group; and ifthe associated port is a member of the secure port group and the port onwhich the packet is received is not a member of the secure port group,initiate a security action.
 31. The non-transitory computer-readablemedium of claim 30, wherein the security action comprises at least oneof filtering the packet and issuing security warning.
 32. Thenon-transitory computer-readable medium of claim 30, wherein thesecurity action comprises at least one of filtering the packet andissuing security warning.
 33. The non-transitory computer-readablemedium of claim 30, wherein the machine readable instructions areexecutable by the hardware controller to process the packet if the porton which the packet is received and the associated port determined arethe same.
 34. The non-transitory computer-readable medium of claim 30,wherein the machine readable instructions are executable by the hardwarecontroller to process the packet if the associated port is not a memberof the secure group.
 35. The non-transitory computer-readable medium ofclaim 30, the machine readable instructions are executable by thehardware controller to: allow a move of the source MAC address to anyport of the network device that is a member of the secure group; anddisallow a move of the source MAC address to any port of the networkedge device that is outside the secure group.